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(54) Browser system 

(57) A Web browser (21 0) is configured to run in a 
middle compartment (206) of a compartmented mode 
workstation (CMW) (200). The operation of the Web 
browser (210) is prevented from accessing or damaging 
other compartments of the CMW machine (200) as a 
result of mandatory access control (MAC), which is con- 
figured appropriately. 

The Web browser (210) communicates with Web 
servers (252) attached to the internet (240). the Internet 
being connected to an outside compartment of the 
CMW machine (210), via a trusted outside process 
(TPO) (214). TPO (214) has the privileges required to 
override MAC. The Web browser (210) communicates 



with a display server (232), which is attached to an 
inside compartment (204) of the CMW machine (210). 
via a trusted inside process (TPI) (204). TPI also has 
privileges to override MAC. The Web browser (210) can 
request and receive Web pages incorporating mobile 
code, and can process the mobile code safely within the 
middle compartment (206). As a result of processing 
the mobile code, the Web browser (210) sends only X- 
messages to the display server (232). in order that the 
display server can render the images resulting from the 
processed mobile code. 
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Description 

Tec 



[0001] The present invention relates in general to s 
computerised systems for down-loading, or 'browsing 1 , 
information stored in computer-readable form. More 
particularly, although not exclusively, the invention 
relates to a browser system for browsing information 
that contains mobile code retrievable from the World ro 
Wide Web. 

Background Art 



[00021 The World Wide Web (Web) may be thought of is 
as a global village where computers (hosts) are the 
buildings, and the worldwide computer network known 
as the Internet forms the streets. The computers have 
addresses (IP Addresses) consisting of four numbers 
separated by periods. Many hosts also have nicknames so 
known as domain names. A Web site typically consists 
of a UNIX or Microsoft Windows based Web server, 
which runs on a host and 'serves' software or content to 
other computers accessing the Web site. A Web site is 
not a single application, but a system that provides 25 
access to applications and data stored on the host, as 
well as inside an organisation. A user utilises a Web 
browser' running on a client computer" to access the 
software or content on the Web server. 
[0003] Figure 1 illustrates a client computer 100 exe- 30 
cuting a Web browser program 105 that is employed by 
a user to communicate over the Internet 1 10. in a spe- 
cial language called HyperText Transfer Protocol 
(HTTP) 1 15, with a host computer 120 executing a Web 
server program 125 to obtain data. Hereafter, the term 35 
Web browser' may be used interchangeably to describe 
a Web browser program or the program in execution on 
a computer, depending on the context. In the diagram, 
and in following diagrams, solid connection lines repre^ 
sent physical connections between hardware and bro- 40 
ken connection lines represent logical connections 
between software processes. The most basic Web 
transaction involves the transmission of Web pages 
written in HyperText Markup Language (HTML) from the 
Web server 1 25 to the Web browser 1 05. Upon request 45 
by the user at the Web browser 105. the Web server 
125 translates the HTML-based Web page into HTTP 
and sends it over the Internet 1 10 for display as a Web 
page on the requesting browser 105. The Web browser 
105 receives the HTTP-encoded Web page, translates so 
the HTTP back into HTML and displays the page. 
[0004] The concept of 'mobile code' has been devel- 
oped to extend the functionality of the Web. Mobile code 
is typically code associated with a Web page which, 
when downloaded from a Web server, automatically 55 
executes within the environment of the requesting Web 
browser. In a simple form, mobile code can be used to 
enhance the graphical appearance of a Web page by. 



for example, implementing simple animation. It is envis- 
aged, however, that mobile code will be used to imple- 
ment many different and far more complex functions in 
future. A good example of one use for mobile code is to 
download transactional clients, which support special- 
ised user interfaces, to support data transfer between 
client and server applications 
[0005] Commonly, mobile code is written in the Java 
programming language as a Java applet. Mobile code 
may also be written in other languages, such as defined 
in the ActiveX model. Both Java applets and ActiveX 
control functions can be embedded into a standard Web 
page. Therefore, the simple operation of downloading a 
Web page can also download and activate associated 
mobile code. 

[0006] While mobile code can greatly extend the func- 
tionality of the Web. the same extended functionality, by 
its nature, leads to serious security issues. 
[0007] Mobile code, and Web browsers that run 
mobile code, are developed according to rigid security 
guidelines which are intended to prevent the possibility 
that malicious users can use mobile code to cause 
harm to the computing environment surrounding a Web 
browser. However, there are already many documented 
flaws in the security measures, which can lead to devas- 
tating results. Typically, the party downloading Vogue' 
mobile code would be unaware of the damaging effect 
thereof until it was too late. 

[0008] Some serious mobile code attacks known take 
advantage of bugs in the mobile code processing envi- 
ronment of the Web browser, which allow the mobile 
code to gain control over the operating system of the 
computing platform. From this position, the mobile code 
could cause damage such as deleting all files on the 
computer, or even launching attacks on other, net- 
worked computing platforms. 

[0009] Other serious mobile code attacks are known 
as 'social engineering' attacks. These attacks rely on 
tricking an unwary user by. for example, sending the . 
user a 'patch' for the Web browser, and suggesting that 
the patch is to remedy a security flaw in the Web 
browser. The patch, instead of being one that remedies 
a security flaw, actually overwrites good code with code 
that creates a security flaw. There are many other ways 
of tricking unwary users in this way. 
[0010] Web browsers, which can run mobile code 
such as Netscape Navigator™, typically include the 
option to 'disable' mobile code processing, thereby pre- 
venting the potential for any damage, even if mobile 
code is downloaded. Of course, this radical measure, 
whilst being very effective, also removes any benefit 
which can be obtained from genuine, safe mobile code. 
[001 1 ] It would therefore be desirable to have a sys- 
tem in which mobile code can be executed safely, while 
at the same time not allowing rogue mobile code to 
cause any damage to any system. 
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Disclosure o f Invention 

[001 2] In accordance with a first aspect, the present 
invention provides a secure browser system as claimed 
in claim 1. 5 
[001 3] The term browser is commonly associated with 
complex and sophisticated programs such as Netscape 
Navigator™ or Internet Explorer™. These programs 
are well known. However, herein, the term browser is 
used more broadly to include any program or system ro 
which, when running, is able to receive a requested 
resource, for example a Web page, from a source such 
as a Web server connected via a communications net- 
work to the browser. Further, a browser according to the 
present invention can even receive unsolicited is 
resources as a result of. for example, some form of 
•push' technology, which distributes resources or mes- 
sages to registered subscribers. 
[001 4] The invention has the advantage that mobile 
code is processed in a secure environment, so that the 20 
client, which is apart from the environment, remains rel- 
atively safe from attack. The client only receives data 
from the browser to visualise the output of the process- 
ing of the mobile code on the browser. The client is, 
therefore, in effect able to access mobile code, and see 25 
the result of the processing of the mobile code, without 
being subjected to any threat from rogue mobile code. 
[0015] In a preferred embodiment of the present 
invention, the browser system comprises a secure oper- 
ating system, for example one which enforces Manda- so 
tory Access Control (MAC), such that mobile code and 
the browser are unable to damage the system running 
the browser, let alone the client. 
[001 6] While the invention, in general, aims to protect 
user systems from rogue mobile code, and from vulner- 35 
able browsers running rogue mobile code, embodi- 
ments which employ secure operating systems, such as 
those providing MAC. can be configured to also provide 
a high level of protection to the computer platform that 
supports the browser running the mobile code. Such 40 
systems consequently can provide even more protec- 
tion to users' systems, by greatly reducing the risk of 
mobile code reaching users' systems, or other parts of 
the network, by some other route. 

[001 7] Other aspects and features of the invention are « 
described and claimed below. 



Figure 3 is a diagram, which illustrates the 'domi- 
nates' relationships between compartments 
defined in the CMW machine of Figure 2; 
Fgure 4 is a diagram, which illustrates the relation- 
ships, and protocols that exist between the proc- 
esses that operate for the purposes of the present 
embodiment; 

Figure 5 is a flow diagram which illustrates the 
steps required to initiate a CMW machine for oper- 
ation in accordance with the present embodiment; 
and 

Figure 6 is a flow diagram, which illustrates the 
steps involved for the purposes of the present 
embodiment when a client requests a Web page 
including mobile code. 

■ For narryina Ou t the Invention. & 



Rriflf Descrin «"" gj *™ Drawings 

[0018] A preferred embodiment of the present inven- 
tion will now be described, by way of example only, with 
reference to the accompanying drawings, of which: 

Figure 1 is a diagram illustrating a standard Web 
environment; 

Figure 2 is a diagram illustrating a CMW machine 
configured for operation in accordance with the 
present embodiment; 



[001 9] According to the present embodiment, the Web 
browser operates on a computing platform within the 
environment of a secure operating system that enforces 
MAC. A particularly suitable secure operating system is 
the HP-UX 10.09.01 Compartmented Mode Worksta- 
tion (CMW) sold by Hewlett-Packard Company, which 
provides a MAC policy governing the way data may be 
accessed on a trusted system. 
[0020] The MAC policy is a computerised version of 
the US Department of Defence's long-standing multi- 
level security policy for handling classified information. 
The MAC policy uses labels that reflect information sen- 
sitivity, and maintains those labels for every process 
and file system object to prevent users not cleared for 
certain levels of classified information from accessing it. 
Under MAC. users and processes are also assigned 
clearances. A clearance defines the maximum sensitiv- 
ity label the user or process can access, which is neces- 
sary since some users and processes have privileges 
that allow them to switch between sensitivity labels. 
Using the MAC policy, the operating system controls 
access based on the relative sensitivity of the applica- 
tions running and the files they access. The HP-UX 
CMW operating system rates as a B1 grade secure 
operating system, according to the Orange Book 
[NCSC] criteria. In general B1 and higher-grade operat- 
ing systems apply some form of MAC. 
[0021] The HP-UX 10.09.01 CMW [DIA 91]. is 
described in detail in the documents referenced at the 
end of this description, which are available from 
Hewlett-Packard Company. At the time of writing this 
description, HP-UX 10.09.01 CMW is the current ver- 
sion of the operating system. Future versions of the 
operating system, and the respective documentation, 
will, however, remain relevant to the present description 
and embodiment 

[0022] Hereinafter, for convenience of description 
only, the term "CMW machine" is intended to mean a 
computing platform with an operating system having 
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additional, CMW security features, which are described 
below. A particularly suitable operating system is 
Hewlett-Packard Company's HP-UX CMW operatinq 
system. a 

[0023] The following description describes in detail 
how to use Mandatory and Discretionary Access Con- 
trols, Sensitivity Labels. Trusted Processes and Privi- 
leges on a CMW machine to restrict the behaviour of 
mobile code and of a Web browser that downloads this 
code. A preferred arrangement is shown in Figure 2 
[0024] Figure 2 illustrates a CMW machine 200 con- 
nected via an internal network 220 to a user machine 
230 running a display server 232. and via an external 
network to a Web server 252 machine 250 running a 
Web server 252. The internal network 220 is also shown 
connected to other apparatus, labelled w. x. y and z 
(labelled 222. 224. 226 and 228 respectively), which 
can be other user machines, servers or network appli- 
ances such as printers. The external network comprises 
a connection from the CMW machine 200 to the Internet 
240 (via appropriate switching and routing equipment, 
which is not shown). The user machine 230 can be for 
example, a PC. a UNIX workstation or an X terminal. 
For the present purposes, the user machine 230. in 
whatever form, is running an X display server 232 The 
internal network 220 comprises an Ethernet, which sup- 
ports TCP/IP communications between the user 
machine 230 and the CMW machine 200. 
[0025] The CMW machine 200 is configured to have 
one classification: System (S) 202; and three compart- 
ments: Inside (0 204, Middle (M) 206 and Outside (O) 
208. This generates eight sensitivity labels (the opera- 
tion of which will be described in detail below) of which 
only five are used in Figure 2: S. SI. SM. SO SIMO 
(shown as 216). The three other possible sensitivity 
labels - SIO. SIM. and SMO - are unused in this embod- 
iment. The CMW machine 200 incorporates a Web 
browser 210. which is arranged to run in the SM com- 
partment. The Web browser 210 in this case is a Net- 
scape Navigator™ browser. A compartment is. in effect 
a virtual machine within which processes and file 
objects associated with the virtual machine can operate 
or be operated on. 

[0026] The display server 232 is attached to the SI 
compartment of the CMW machine 200. and the exter- 
nal network is attached to the SO compartment of the 
CMW machine 200. Thus, data received from, or trans- 
mitted onto, the external network acquires the sensitiv- 
ity label of the SO compartment. Also, data sent to or 
received from the display server 232 acquires the sensi- 
tivity label of the SI compartment. 
[0027] As already mentioned, sensitivity labels are 
associated with every process and file system object, 
and are used as the primary basis for all MAC policy 
decisions. A sensitivity label represents the sensitivity of 
a process or a file system object and also the data each 
contains. If an application and the file it attempts to 
access have compatible sensitivity labels, the applica- 



tion can read, write, or possibly execute the file and 
each new process typically inherits the sensitivity label 
of rts parent. For example, if a program is executed 
within a shell (for example. sh(l). csh(i), or ksh(D). the 
5 new process automatically inherits the sensitivity label 
of the shell process. New files always inherit the sensi- 
tivity label of the process that creates them. The system 
can provide special trusted programs that may be 
employed for changing the sensitivity label of a file alter 
w it has been created. 

[0028] Sensitivity labels are prioritised for MAC in a 
way that determines how processes or objects having 
one sensitivity label can interact with processes or 
objects having different sensitivity labels. The prioritisa- 
15 tion is defined internally of the operating system The 
diagram in Figure 3 represents the relationship between 
the parts of the system illustrated in Figure 2 
[0029] In Figure 3, the arrows point from dominating 
sensitivity labels to dominated sensitivity labels Thus 
20 m Figure 3: SIMO dominates SI. SM and SO- SO domi- 
nates S; SM dominates S; and SI dominates S. It should 
be noted that SO. SM and SI have no dominates' rela- 
tionships between them. Also, the labels SMO. SIO and 
SIM, which are not used in the present embodiment are 
zs illustrated for completeness in boxes with dashed lines 
to indicate where they would appear. One further impor- 
tant aspect of the dominates relationships, which is not 
shown in the diagram, is that each sensitivity label dom- 
inates itself. 

30 [0030] Users are generally not permitted to down- 
grade (by reducing the respective sensitivity labels of) 
any f.les, processes or objects which they control so 
that the new label is dominated by the previous label 
Also, users are not permitted to cross grade them so 
35 mat the new label is incomparable to the previous one 
The system is also configured so that downgrading and 
cross grading are not enacted automatically by the acts 
of reading or writing. ' ' 

[0031 ] The effect of the MAC policy is to rigidly control 
40 information flow in the system, from process to file to 
process, to prevent accidental or intentional mislabelling 
of sensitive information. To achieve this, for every oper- 
ation, the system compares sensitivity labels to deter- 
mine if a user or process can access an object. Any time 
45 a user or process tries to read, write, or execute a file 
the system examines the process and object sensitivity 
labels and consults its MAC rules. For each operation a 
process requests the system determines if the process 
has mandatory read or mandatory write access to the 
so object. Most restrictions that the MAC policy enforces 
can be summarised by the two following rules: 

(1) Mandatory read access: a process can read or 
execute a file, search a directory, or (subject to 
55 other privilege requirements) read the contents of 
other objects if the process's sensitivity label domi- 
nates the object's. All of these operations involve 
transferring data from the object to the process, so 
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having such access is referred to as "mandatory 
read" access. 

(2) Mandatory write access: a process can write to 
a file, remove or create an entry in a directory, or 
change any object's security attributes (including its 
sensitivity label), if the process's sensitivity label is 
the same as the object's. All of these actions involve 
transferring data from the process to the object, so 
having such access is called "mandatory write" 
access. 

[0032] The first rule prevents a user who is not cleared 
for classified information from seeing it The second rule 
prevents a user with a high clearance from revealing 
information to other users with lower clearances. 
[0033] In effect, MAC in the CMW machine 200 
ensures that information can flow only in the opposite 
direction to the "dominates" relationship. Thus MAC 
allows the mobile code and Web browser 210 to read 
data only with a sensitivity label of "S" or "SM". The Web 
browser ,210 and mobile code can write data only with a 
sensitivity label of "SM". Neither the Web browser 210. 
nor the mobile code, is able to gain direct access to 
either the inside network or the outside network, since 
these have sensitivity labels of "SI" and "SO". 
[0034] The CMW machine 200 does not impose the 
concept of an all-powerful "Super User" (e.g. "root") or 
Administrator. Instead, this power is divided up into a 
number of privileges. Assigning privileges to a program 
confers on it power to do particular actions. Programs 
with these privileges are known as "trusted processes'. 
Trusted processes, TPI (trusted process - inside) 212 
and TPO (trusted process - outside) 214. shown in Fig- 
ure 2, have the privileges that allow them to override the 
MAC. Thus the Web browser 21 0 and mobile code must 
use TPI 212 and TPO 214 to gain access to the internal 
and external networks. 

[0035] Trusted processes are typically very small pro- 
grams, which are carefully designed to carry out a sin- 
gle, specific process, such as passing specific data 
between compartments in a CMW machine. Trusted 
processes have privileges which enable them to over- 
ride MAC. but these privileges are only raised when 
required, and lowered thereafter, to minimise the 
chances of misuse by any other user or process. Also, a 
trusted process checks whether a user or other process 
has the right to access it before allowing such access. 
[0036] TP 1 21 2 is a trusted process that manages the 
interaction between the real Web browser 210 (and 
mobile code) running in the SM compartment, and the 
display server 232 running on the inside network. In 
some embodiments, the display server 232 could in fact 
be running in the SI compartment on the CMW machine 
200, but this would be less likely in a networked environ- 
ment. TPI 212 has the necessary privileges that enable 
it to override MAC and pass data between the SI and 
SM compartments. 

[0037] TPO 21 4 is a trusted process, which manages 



interaction between the real Web browser 210 (and 
mobile code) running in the SM compartment, and the 
Internet 240, which is connected to the SO compart- 
ment 

5 [0038] All messages from the Web browser 210 (and 
mobile code) to the external network are sent via TPO 
214. TPO 214 can be configured to block undesirable 
messages from the Web browser 210. such as attempts 
to communicate with prohibited external sites or 

io attempts to download mobile code from certain sites. 
Additionally, TPO 214 can be configured to block mes- 
sages emanating from the downloaded code when it 
executes in the Web browser 210. TPO 214 can also be 
configured to filter incoming messages intended for the 

75 Web browser 21 0, in a similar fashion to a packet filter 
or firewall. The Web browser 210 runs in the SM com- 
partment without any privileges. The Web browser 210 
is configured to direct every network connection to TPO 
214 by making use of built-in SOCKS functionality. That 

20 is to say. the Web browser 210 must support SOCKS, 
as will be described below. 

[0039] The Web browser 210 s executable file, the 
files, directories and the resources that are only read by 
the Web browser 210. such as the configuration files, 

25 are given the label S. The result is that the MAC protects 
these resources so that users, a broken browser or 
malicious mobile code cannot bypass the security 
administration by overwriting them with their own copies 
of these files. Other files that need to be both read and 

30 written to by the Web browser 210. such as a bookmark 
f He. history files or a cache, are labelled as SM. 
[0040] All the users and hosts of the internal network 
220 are given the label SI and all the hosts of the Inter- 
net 240 are given the label SO. Since the Web browser 

35 21 0 has no privileges, it and all its child processes, such 
as those executing mobile code, can only run with the 
label SM. Therefore, the behaviour of the Web browser 
210 and mobile code is encapsulated in the SM com- 
partment 

40 [0041] Thus, the CMW machine 200 configuration 
shown in Figure 2 ensures that the Web browser 210 
running in the SM compartment cannot interfere with 
other processes running with other sensitivity labels. 
This configuration can be generalised to an arbitrary 

45 number of middle compartments (Middle_1 

Middle_n). Each compartment can be used to isolate a 
Web browser 210 and any associated mobile code 
accessed by a user connected to the CMW machine 
200. If some controlled sharing of information between 

so the code in the Web browsers is required, multiple 
browsers can run in the same compartments, under dif- 
ferent user identifiers. The CMW machine 200 therefore 
acts as a Web browser 210 server to let multiple users 
on the inside network use Web browsers 210 and 

55 mobile code securely and conveniently. Each user has a 
personal copy of his or her Web browser 21 0 resources, 
such as a bookmarkfile. on the CMW machine 200, with 
these resources all having the same sensitivity label. 
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Conventional Discretionary Access Control (DAC). as local display server. Subsequently. TPI 21 2 forwards the 
found in general operating systems such as UNIX, can requests to the remote display server 232 running on 
be used to specify which local files owned by one user the user machine 230. TPI 21 2 can also be configured 
the mobile code downloaded by another user can to filter out undesirable or dangerous messages before 
access - s forwarding them to the remote display server 232 on the 

[0042] The implementation of the above architecture internal network 220. For example. TPI 212 may be con- 
consists of the four components, three of which have figured to connect only to a predefined set of hosts or 
been described above, namely: TPI 212. TPO 214 and clients, and only to the display servers on those hosts, 
the Web browser 210. These three components, and a The details of such a configuration are beyond the 
fourth component, the trusted browser front end io scope of the present description, but are within the limits 
(TBFE), are illustrated in Figure 4. Figure 4 shows the of ability of the skilled person, 
relationship between these four components and the [0046] For operation in accordance with the present 
communication protocols in use between them. embodiment TPI 212 requires the Chsubjsl privilege to 

[0043] The diagram in Figure 4 shows that the TBFE allow it to receive connections from both the SI and SM 
is a parent process to TPI 212. TPO 214 and the Web is compartments. TPI 212 also requires the Allowmacread 
browser 210. In other words. TPI 212. TPO 214 and the and Allowmacwrite privileges, so that it can pass data 
Web browser 210 are child process to the TBFE. Com- between the SM and SI compartments. TPI 21 2 also 
municatjons between TPI 2 1 2 and the Web browser 21 0 needs Conf igaudrt, Suspendaudit and Writeaucfit privi- 
comprise X-messages. communications between the leges to configure, manipulate and write audit records 
Web browser 210 and TPO 214 comprise SOCKS mes- 20 as mentioned above. 

sages and the communications between TPI 212 and [0047] TPO 214 comprises a connection request 
the display server 232 comprise X-messages. proxy, which in the present embodiment is a modified 

[0044] The following six privileges are defined within SOCKS server that uses the SOCKS [SOCKS] protocol 
CMW and are used in accordance with the present to communicate with the Web browser 210. and mobile 
embodiment to support the present system: 2s code downloaded by the Web browser 2 1 0, in the SM 

compartment SOCKS is a well known, freeware proxy 
Allowmacread: overrides MAC restrictions on read server, used to relay TCP streams between a client and 
operations, allowing a process having this privilege the Internet 240. It is known to configure and use 
to read an object's data and attributes regardless of SOCKS as a filter or firewall application 
the object s sensitivity label; 30 [0048] SOCKS is modified in TPO 214 in the present 

embodiment so that it can accept connections originat- 
Allowmacwrite: overrides MAC restrictions on write ing from multiple sensitivity labels. That is. TPO 21 4 can 
operations, allowing a process having this privilege accept connections from the SM compartment, as well 
to write an object's data and attributes regardless of as from the SO compartment. This is achieved as with 
the object's sensitivity label: ss TPI 212. using the Chsubjsl privilege. TPO 214 can also 

pass the data between compartments having different 
Chsubjsl: (stands for change subject sensitivity sensitivity labels using the Allowmacread and Allow- 
label) allows a process having this privilege to macwrite privileges subject to the security criteria set up 
change its own sensitivity label to any label domi- by the system's security administrator, 
nated by the process's clearance; 40 [0049] TPO 21 4 also needs Conf igaudit. Suspendau- 

dit. and Writeaudit to configure, manipulate and write 
Cqnfigaudit: required by the ioctJ(2) interface and audit records. 

used to configure the security audit system; [0050] The process for initialising a Web browser 210 

and its associated proxies will now be described with 
Suspendaudit: if raised, the security audit system 45 reference to the flow diagram in Figure 5. 
does not produce system call records on behalf of [0051 ] In step 500. a TBFE is started remotely by the 
the processes. Most trusted processes raise this user, who has an account on the CMW machine 200. 
privilege because they produce their own audit which authorises the user to activate a Web browser 
records, making those automatically generated by 210. The user can start TBFE by making use of remote 
system calls unnecessary; and so execution functions provided by UNIX, such as remsh' 

or 'rexec'. To do this, the user would first have to be 
Writeaudit: Required by the write(2) interface of the logged-on to the CMW machine 200. The server version 
audit device to append records to the audit trail. of these functions can be rewritten to take the advan- 

tage of the CMW machine 200 to enhance security, but 
[0045] TPI 212 comprises a proxy display server (in 55 a description of howto achieve this is outside the scope 
this embodiment, a proxy X-server [X Window]). The of this text. A shell script to start the TBFE on the CMW 
Web browser 210 in effect sends all X requests needed machine 200 is installed on the user's machine. An 
to render itself on a screen to TPI 212. rather than to a alternative to a shell script would be to use Secure Shell 
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(SSH) to provide a secure login. Conveniently, SSH also 
encrypts the X-protocol messages, by using the SSH 
server (on the CMW machine 200 ) to pass the X-mes- 
sages to the SSH client (on the user's machine). The 
SSH client then forwards the X-messages to the X- 
server running on the user's machine. 
[0052] In step 510, when TBFE is started, it reads and 
parses its configuration file to check for semantic errors. 
An exemplary configuration file is reproduced below: 

# lines start with # are comments 
# 

# start tpi at system inside and let it talk with system 
middle 

BEGIN_INIT{ 

location of the program 

PROGRAM: /home/proj 1/tpi 

#sensitivity label to start the program 

LEVEL: SYSTEM INSIDE 

#arguments passed to the program 

ARG: -1 "SYSTEM MIDDLE" -s zhong-q- 1 -n 1 

}END_INIT 

# 

#start tpo at system outside 
BEGIN_INIT{ 

PROGRAM: /home/proj 1/tpo 

LEVEL: SYSTEM OUTSIDE 

#arguments passed to program to define SOCKS 

options 

ARG: -d 3 -s 

}END_INIT 

# 

#start netscape at system middle with the tpi as the 

x-server 

BEGIN_INIT{ 

PROGRAM: netscape 

LEVEL: SYSTEM MIDDLE 

#Netscape configuration argument 

ARG: -display localhost: 1 

}END_INIT 

# 



[0053] Each process to be spawned by the TBFE has 
one entry in the TBFE configuration file. In the configu- 
ration file listed above, there are entries for TPI 212, 
TPO 214 and the Web browser 210. Each entry speci- 
fies the location of the program file in the CMW machine 
200's file system, the sensitivity label to start the pro- 
gram and the parameters (argument vectors, or ARGs) 
which should be passed to the program. The parame- 
ters define the communication channels between the 
different processes, such as the TCP port number that 
the TPI 212 should listen to and the X-server that the 
Web browser 210 should direct the display message to. 
[0054] The TBFE configuration file includes an entry 
for TPI 212. The entry specifies the location of the TPI 
212 program, assigns to TPI 212 the label "SYSTEM 
INSIDE", and declares the following parameters: "-I" 



defines the sensitivity label "SYSTEM MIDDLE" for TPI 
212 to interact with; "s" defines the display server 232 
"zhong-q-1" to be used; and "-n" defines the proxy 
number "1" used for communications with the display 
5 server 232. In practice, display servers are allocated 
port numbers running from 6000. Thus, a proxy number 
of "1" maps to a port number of 6001 . 
[0055] The configuration file also includes an entry for 
TPO 214. The entry specifies the location of the TPO 
w 214 program, assigns to TPO 214 the label "SYSTEM 
OUTSIDE", and declares the following parameters: "-d" 
defines the debug level as "3"; and "-s" sends all the 
debug information to be displayed on "stderr". 
[0056] Finally, the configuration file includes an entry 
15 for the Web browser 21 0. The entry specifies the loca- 
tion of the Web browser 210 program, assigns to the 
Web browser 210 the label "SYSTEM MIDDLE" and 
declares the parameter: "-display localhost: 1". which 
configures Netscape to send display messages to TPI 
20 212. on proxy server number 1 . instead of to the default 
X-server. 

[0057] After reading the configuration file successfully, 
in step 515 the TBFE processes the entries one by one. 
For each entry in the configuration file, in step 520, the 
25 TBFE raises the Chsubjsl privilege, which allows it to 
adopt the sensitivity label required for the respective 
child process in step 525. In step 530. the TBFE drops 
the Chsubjsl privilege, to prevent a spawned process 
from misusing it. Then, in step 535, TBFE spawns the 
30 respective child process. In effect. TBFE changes its 
own sensitivity label to the required sensitivity label of 
the child process that it is going to spawn in order that 
the child process inherits the correct sensitivity label, as 
specified in the configuration file. Next, the TBFE again 
35 raises the Chsubjsl privilege in step 540. reverts to its 
original sensitivity label in step 545 and. finally drops 
the Chsubjsl privilege in step 550. This process repeats, 
in step 555 for all three entries in the configuration file 
until both proxies and the Web browser 210 have been 
40 spawned. 

[0058] Finally, in step 560. the TBFE waits for one of 
the child processes that it spawned to terminate (this 
will usually be the Web browser 210 when the user has 
finished using it), and then, in step 565. sends exit sig- 
45 nals to the other child processes and itself exits in step 
570 Thus. TBFE acts as a single point-of-entry to the 
Web browser 210. Also, the TBFE will terminate the 
whole group of processes when any single member ter- 
minates for any reason, 
so [0059] Other than the Chsubjsl privilege. TBFE also 
needs Configaudit, Suspendaudit and Writeaudit privi- 
leges to enable it to configure, manipulate and write 
audit records Audit records may be used as a historical 
log of events, which can be analysed to trace any unu- 
55 sual activity, potentially resulting from rogue mobile 
code. Auditing is well known in computer system man- 
agement practice, and will not thus be described herein 
in any further detail. 



[0060] When TPI 21 2 is started by the TBFE in the SI 
compartment. TPI 212 makes a system call which 
allows it to act as a multilevel server. To make the sys- 
tem call, TPI 212 requires the Chsubjsl privilege- TPI 
212 raises the Chsubjsl privilege, makes the system call 
and then lowers the Chsubjsl privilege again. Once act- 
ing as a multilevel server, TPI 212 can receive connec- 
tions on its allocated TCP port from the SM 
compartment as well as from the SI compartment. 
[0061] When the TPO 214 is started by the TBFE in 
the SO compartment TPO 214 also makes a system 
call which allows it to act as a multilevel server. To make 
the system call, as for TPI 212. TPO 214 requires the 
Chsubjsl privilege: TPO 214 raises the Chsubjsl privi- 
lege, makes the system call and then lowers the Chsub- 
jsl privilege again. TPO 214 then waits for connections 
on rfs allocated TCP port: which is typically port 1080 
the default SOCKS port. The same port number is also" 

l*"!??? 8 Web brOWSer 210 ' s options to 06 u *ed by 
the Web browser 210 as the messaging proxy port 
number to which all Web requests are sent 

l S HaVinQ Started a Web browser 210 on the 
CMW machine 200. as described above, the user is 
presented with a standard Web browser 210 screen 
which is rendered in an X-window of the X display 
server 232 on the user machine 230. The display server 
232 facilitates all keyboard or mouse interaction by the 
user with the window by sending events to the Web 
browser 210 on the CMW machine 200. The Web 
browser 210 responds with requests, which control the 
display server 232, for example to update the X-window 
display. For ease of understanding only, both X events 
and X requests will be referred to as X-messages Typi- 
cally the initial display is that of the user's 'home page' 
[0063] The sequence of steps that occur when a user 
requests a Web page from a Web server 252 will now 
be described with reference to the flow diagram in Fig- 

[0064] In step 600, the user submits a request for a 
specific Web page, or other resource. The request can 
be a result of the user selecting a hyperlink or typing in 
the respective URL (universal resource locator) The 
request is received by TPI 212 in step 605. In step 610 
212 raise s the Allowmacwrite privilege, to allow TPI 
212 to override the MAC'S read/write restrictions in 
■ order to transfer the request from the display server 232 
(attached to the SI compartment) to the Web browser 
210 in the SM compartment) in step 615. When the 
transfer is complete, in step 620, TPI 212 lowers the 
Allowmacwrite privilege again. 

[0065] In step 625, the Web browser 21 0 receives the 
request and attempts to initiate a connection with the 
appropriate remote Web server 252. which holds the 
required Web page. TPO 214 receives the connection 
request from the Web browser 210 irvstep 630 and 
tn'L 68 ^? ^ lowmacread P™'ese. in step 635. in order 
to facilitate data transfer from the Web browser 210 (in 
the SM compartment) to the external network (attached 
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to the SO compartment). Then, in step 640 TPO 214 
f0rw t ar ^ii he connection request to the external net- 
work TPO 214 also acts to filter the request to block 
communications with prohibited external sites Alter 
s transmission is complete, in step 645. TPO 2 1 4 lowers 
the Allowmacread privilege again. 
[0066] The processes that occur once the request 
reaches the Internet are well known in the present art 
and will not therefore be described herein in detail In 
io brief, however, in step 650, the Web server 252 receives 
the request and responds by returning the Web page 
and associated mobile code to the CMW machine 200 
In practice, one Web page typically references, and is 
rendered from, multiple data sources (commonly con- 
is taming data such as formatted text and graphics 
images), which are down-loaded onto a Web browser 
using multiple HTTP requests. In the present case 
where the Web page includes mobile code, there will be 
a reference to at least one embedded process for 
20 example a Java applet, which is down-loaded to the 
web browser in the form of byte codes 
[0067] In step 655, TPO 214 receives the stream of 
HTTP from the Web server 252. TPO 214 again filters 
ttie stream at this stage to block undesirable messages 
25 Then, in step 660, TPO 214 raises the Allowmacwrite 
privilege and passes the HTTP stream from the SO 
compartment to the Web browser 210 in the SM com- 
partment in step 664. Then, in step 667, TPO 214 low- 
ers the Allowmacwrite privilege 
30 J 0068 * The Web browser 210 receives the stream and 
interprets the content as a Web page with embedded 
mobile code, in step 670. The Web browser 210. which 
is configured to allow mobile code to execute, then 
„ ^yhe mobile code into memory and executes it in 
2f? ! 3 result * executing the mobile code, the 
Web browser 210 generates a graphical output, in step 
677. and requests a connection, in step 680, to pass the 
output X-messages to the display server 232 
[0069] When the Web browser 210 requests a con- 
40 nect,on frorr " ^e SM compartment TPI 212 accepts the 
request, evaluates it and tries to make a connection to 
the remote display server 232 in step 685. The identity 
and location of the remote display server 232 that the 
user ,s using is passed to TPI 212 as a parameter in the 
45 configuration file, as described above. On successfully 
connecting to the display server 232, TPI 212 raises the 
Allowmacread and Allowmacwrite privileges in step 690 
and, having established a connection, pumps the mes- 
sages between the SM and the SI compartments in step 
so 695 to the display server 232. Optionally, some X-mes- 
sage filtering can also be performed here to prevent 
suspicious X-messages. potentially generated by the 
mobile code, from getting through 
[0070] Then. TPI 212 lowers the Allowmacread and 
55 Allowmacwrite privileges in step 697 and. finally, in step 
699. the display server 232 receives the X-messages 
and renders the X-window appropriately. 
[0071] The users of the internal network 220. who can 
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only connect to the SI compartment, cannot bypass the 
secuS administration by directly starting the, own 
wS browser. This is because Web browsers started by 
Vernal users cannot gain access to the TPO 21 4 as a 
result of TPO 214 accepting connections o^Jom *• s 
SM and SO compartments. Web browsers 210 started 
by internal users directly can therefore interact only wrth 
the internal network 220. 

[0072] It is emphasised that the embodiment 
desaibedabovedefinesonlyonespecHicwaydwor^ >o 
ing the present invention, which conven.ently takes 
advantage of HP's CMW operating system^ Clearty. 
other CMW-compliant operating syst emsjsuch a. SUN 
Microsystems' Trust Solaris operating system, could be 
readily configured to implement the invention. Indeed « 
embodiments of the invention could be implemented .n 
any operating system, by configuring the operating , sys- 
tem to provide appropriate functionalrcy The Resent 
invention should therefore be read „ 
pass any system that applies the general teachings that 20 

[O^r' It appreciated that the invention is par- 
ticularly suited to increasing security in scenarios where 

for interaction with other clients or servers in a d.errt- 
server environment. Such an environment can be one 
that complies with the CORBA (Common Object 
Request Broker Architecture) model. 



Media User's Guide 

HP-UX 10.09.01 CMW machine 200 Trusted Facil- 
ity Admin Ref. Manual 

HP-UX 10.09.01 CMW machine 200 MaxSix 
Administrator's Guide 

HP-UX 10.09.01 CMW machine 200 Security Fea- 
tures User's Guide 

HP-UX 10.09.01 CMW machine 200 Security Fea- 
tures Programmer's Guide 



1 . A browser system, comprising: 



[0074] 

[NCSCl National Computer Security Centre. 
[ -Department of Defence Trusted Com- 35 

puter System Evaluation Criteria". DoD 

Standard 5200.28-STD. 1985 
[DIA911: "Compartmented Mode Workstation 
1 Evaluation Criteria VERSION 1 (Final)". 

J.P.L Woodward. DDS-2600-6243-91 . 40 

1991. 

[X Window]: "X Window System". Scherfler. Robert 
[X winaowj ^ james Geftys Djgita| Press . 1992 

rsoCKSV "SOCKS Protocol Version 5". M. Leech. 
[SOCKS]. f^Qanis, Y. Lee, etc., RFC 1928. March 45 
1996 

CMW machine 200 Manuals: 

sc 

[0075] 

HP-UX Trusted OS Installation Manual 
HP-UX Trusted OS Read Me First/ Release Notes 
HP-UX 1 0.09.01 CMW machine 200 Trusted Facili- 

tP-WiaOMI CMW machine 200 Key Security 

hTu? 8 ! 0.09.01 CMW machine 200 Support 



a browser process configured to receive from a 
remote data source a resource incorporating 
mobile code and to process the mobile code to 
generate graphical output data; and 
an inside interface process configured to pro- 
vide a communications channel between the 
browser process and a remote display system 
to facilitate transfer of the graphical output data 
to the remote display system. 

2 A browser system according to daim 1 . comprising 
an operating system which associates Processes 1 or 
objects within the operating environment of the 
operating system with one of a number of sensitivity 
labels, wherein the browser process has a first sen- 
sitivity label and data associated with the remote 
display system has a second sensitivity label. 

3 A browser system according to either preceding 
daim wherein the inside interface process has a 
first privilege which allows it to transfer data from 
the browser process to the remote display system. 

4 A browser system according to claim 3, wherein the 
inside interface process is configured to rase the 
first privilege when data transfer is required and 
lower the first privilege alter data transfer is com- 
pleted. 

5 A browser system according to any one of the pre- 
ceding claims, further comprising an outside inter- 
face process, which provides a communications 
channel between the browser process and the 
remote data source to facilitate transfer of data from 
the remote data source to the browser process. 

6 A browser system according to daim 5, wherein 
data associated with the remote data source has a 

third sensitivty label. 

7 A browser system according to claim 5 or daim6, 
wherein the outside interface process has asecond 
privilege which allows it to transfer data from the 
remote data source to the browser process. 
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8. A browser system according to claim 7, wherein the 
oute.de interface process is configured to raise the 
second prrvilege when data transfer is required and 

dieted S6C0nd Pr,V " e9e 3lter d3ta tranSfer is 

ns^e -nterface process is configured as a muff- 

lltT^ * 030 receive 

requests having either the first sensitivity label or 

the second sensitivity label. 

outside interface process is configured as a multi- 
level process whereby it can receive connection , 
or the third sensitivity label. 

11. A browser system according to any one of the pre- 
ceding claims, wherein the operating system a 
enforces Mandatory Access Control. 

™rT 6r SyStSm COnfigured ** operation in an 
?r? Tl SyStem enfordn 9 mandatory access con- 
trol, the browser system comprising: 2S 

^browser process having a first sensitivity 

an inside interface process having privileges 
•« allow it to transfer data between the 30 
browser process and a display system, the 
operating system being configured to allocate 
data associated with the remote display system 
with a second sensitivity label- and 
an outside interface process having privileges 35 
*at allow it to transfer data between toe 
browser and a remote data source, the operat- 
ing system being configured to allocate data 
associated with the remote data source with a 
to.rd sensitivity label, the browser process 40 
being configured to: 

receive via the outside interface process a 
resource including mobile code- 

send the graphical output data via the inside * 
interface process to the display server. 

13 ' l b ^!! r SySt6m aCCOrdin9 10 c,aim 11 - "herein 
the browser process is further configured to receive so 
a request, via the inside interface process, from the 

SSiTV* 3 ^ r6SOUrCe inc,udi "9 
mobile code and to transfer a respective request for 
he resource, via the outside interface process to 
the remote data source. ' ocess i *o ^ 

U ' l m ^f °*jf CUrely aCCeSSin9 a resource 

mg mobile code using a browser system configured 
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in an operating system enforcing man- 
s control, the method including a 



for operation in a 

datory access control, the method includmg a 
browser process having a first sensitivity label 
enacting the steps of : 

receiving, via an outside interface process, a 
resource including mobile code from a remote 
data source, the operating system being con- 
figured to allocate data associated with the 
remote data source with a third sensitivity label 

l^L £ TZ* int6riaCe pr0Cess havin 9 Privi- 
leges that allow it to transfer data between the 
Drowser and the remote data source- 
processing the mobile code to provide graphi- 
cal output data; and "Brapnt 
sending the graphical output data via an inside 
interface process to a display server, the oper- 
ating system being configured to allocate data 
associated with the remote display system with 
a second sensitivity label and the inside inter- 
face process having privileges that allow it to 
transfer data between the browser process and 
the display system. 
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500 |starttbfe1 

510 [PARSE CONFIGURATION FILE] 
515 [FOR EACH ENTRY IN CONFIGURATION FILE]* 
520 [ RAISE CHSUBJSL PRIVILEGE] 
525 | ADOPT CHILD'S SENSITIVITY LABEL) 
530 [DROP CHSUBJSL PRIVILEGE] 

535 [SPAWN CHILD PROCESS"] 
540 [RAISE CHSUBJSL PPJVILEGE| 
545 [REVERT TO ORIGINAL SENSnTVITY LABEL] 
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605 [rpi receives request! 

610 [iPIRAlSES ALLOWMACWRTfR) 



660 jTPO RAISES ALLOWMACWRlfg] 
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TPO PASSES HTTP STREAM 
TO BROWSER 
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TPI TRANSFERS REQUEST 
TO BROWSER 
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BROWSER INTERPRETS] 
HTTP STREAM 
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WEB SERVER CONNECTION 
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CONNECTION REQUEST 
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BROWSER GENERATES 
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680 |gKU WSER OPENS CONNECTION TO TPj] 



TPO FORWARDS REQUEST 
TO WEB SERVER 



685 | TPI CONNECTS TO DISPIAYSERVErJ 
690 



TPI RAISES ALLOWMACREAD 
AND ALLOWMACWRTTE 



645 |lPO LOWERS ALLOWMACREAD] 
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TPI PUMPS GRAPHICAL OUTPUT 
JO DISPLAY SERVER 



WEB SERVER 
PROCESSES REQUEST 



TPI LOWERS ALLOWMACREAD 
AND ALLOWMACWRTTE 
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HTTP STREAM 



DISPLAY SERVER RECEIVES AND 
RENDERS GRAPHICAL OUTPUT 
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